Data ONTAP Discussions



Hi Team,


Looking for solution for vurnabilities please check attached file for details.


NetApp Release 8.2.3P3 7-Mode: Tue Apr 28 14:48:22 PDT 2015


The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :


  - A security bypass vulnerability exists due to improper     restriction of access to the console and web management     interfaces. An unauthenticated, remote attacker can     exploit this, via direct requests, to bypass     authentication and gain administrative access.



  - A remote code execution vulnerability exists due to the     JMXInvokerHAServlet and EJBInvokerHAServlet invoker     servlets not properly restricting access to profiles. An     unauthenticated, remote attacker can exploit this to     bypass authentication and invoke MBean methods,     resulting in the execution of arbitrary code.



  - A remote code execution vulnerability exists in the     EJBInvokerServlet and JMXInvokerServlet servlets due to     the ability to post a marshalled object. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to install arbitrary     applications. Note that this issue is known to affect     McAfee Web Reporter versions prior to or equal to     version 5.2.1 as well as Symantec Workspace Streaming     version and possibly earlier.





Thanks & Regards

Prajyot Katakdound




Re: vulnerability

Time to upgrade to 8.2.5p2

Re: vulnerability

Thank you very much  team , but could you also  help me with any technote which could justify the same 



Thanks & Regards

Prajyot Katakdound


Re: vulnerability

Please check If it's not listed here, I'd open a Support case.

Re: vulnerability

A support case is the recommended action to resolve items from a scanner report.

Anyone prioritizing security for 7-Mode ONTAP should be targeting the latest P release of 8.2.5.

These CVEs cover JBoss and HP ProCurve Manager, none of which is shipped in ONTAP.